Skip to content

Instantly share code, notes, and snippets.

@HauptJ

HauptJ/SetupWinRMAccessSelfSigned.ps1

Last active April 14, 2024 12:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save HauptJ/df2fa41d06b87641ed15452150e3429d to your computer and use it in GitHub Desktop.
Save HauptJ/df2fa41d06b87641ed15452150e3429d to your computer and use it in GitHub Desktop.
Download ZIP
WINRM HTTPS
Raw
SetupWinRMAccessSelfSigned.ps1
Set-Location -Path "C:\WINRM"
$ErrorActionPreference = "Stop"
Import-Module BitsTransfer
$opensslPath = "$ENV:HOMEDRIVE\OpenSSL-Win32"
if($PSVersionTable.PSVersion.Major -lt 4) {
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
. "$scriptPath\GetFileHash.ps1"
}
function VerifyHash($filename, $expectedHash) {
$hash = (Get-FileHash -Algorithm SHA1 $filename).Hash
if ($hash -ne $expectedHash) {
throw "SHA1 hash not valid for file: $filename. Expected: $expectedHash Current: $hash"
}
}
function InstallVCRedist2008() {
$filename = "vcredist_x86_2008.exe"
$url = "http://download.microsoft.com/download/1/1/1/1116b75a-9ec3-481a-a3c8-1777b5381140/vcredist_x86.exe"
Start-BitsTransfer -Source $url -Destination $filename
VerifyHash $filename "56719288ab6514c07ac2088119d8a87056eeb94a"
Start-Process -Wait -FilePath $filename -ArgumentList "/q"
del $filename
}
function GetLatestOpenSSLPackage() {
$filename = "win32_openssl_hashes.json"
Start-BitsTransfer -Source "https://slproweb.com/download/$filename" -Destination $filename
$files = (ConvertFrom-Json (Get-Content $filename -Raw)).files
del $filename
$members = foreach($file in ($files | Get-Member -MemberType NoteProperty)) {
if ($file.Name -like "Win32*" -and $file.Name -like "*Light*") {
$file
}
}
$latest = $null
foreach($member in $members) {
$current = $files.($member.Name)
if ($latest -ne $null) {
if ([System.Version]$latest.basever -lt [System.Version]$current.basever) {
$latest = $current
}
}
else {
$latest = $current
}
}
Return $latest
}
function InstallOpenSSL() {
if (!(Test-Path $opensslPath)) {
$latestPackage = GetLatestOpenSSLPackage
if($latestPackage -eq $null) {
throw "Failed to get latest version of OpenSSL from slproweb.com"
}
$filename = Split-Path $latestPackage.url -leaf
Start-BitsTransfer -Source $latestPackage.url -Destination $filename
VerifyHash $filename $latestPackage.sha1
Start-Process -Wait -FilePath $filename -ArgumentList "/silent /verysilent /sp- /suppressmsgboxes"
del $filename
}
}
function GenerateSelfSignedCertificate($certFilePfx, $pfxPassword) {
$opensslConf = "openssl_server_auth.cnf"
Set-Content $opensslConf @"
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_req_server]
extendedKeyUsage = serverAuth
[v3_ca]
"@
$certFilePem = "server_cert.pem"
$keyFilePem = "server_cert.key"
$openssl = "$opensslPath\bin\openssl.exe"
$subject = "/C=RO/ST=Timis/L=Timisoara/emailAddress=fake@email.com/organizationName=Cloudbase/CN=$ENV:COMPUTERNAME"
$ENV:OPENSSL_CONF = $opensslConf
& $openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out $certFilePem -outform PEM -keyout $keyFilePem -subj $subject -extensions v3_req_server
if ($LastExitCode) { throw "OpenSSL failed to create the self signed server certificate" }
& $openssl pkcs12 -export -in $certFilePem -inkey $keyFilePem -out $certFilePfx -password pass:$pfxPassword
if ($LastExitCode) { throw "OpenSSL failed to export P12 certificate" }
del $opensslConf
$ENV:OPENSSL_CONF = ""
del $certFilePem
del $keyFilePem
}
function ImportCertificate($certFilePfx, $pfxPassword) {
# Get the machine personal certificate store
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::My,
[System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(
"$(pwd)\$certFilePfx", $pfxPassword,
([System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor
[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet))
$store.Add($cert)
return $cert.Thumbprint
}
function RemoveExistingWinRMHttpsListener() {
$httpsListener = Get-Item -Path wsman:\localhost\listener\* | where {$_.Keys | where { $_ -eq "Transport=HTTPS"} }
if ($httpsListener) {
Remove-Item -Recurse -Force -Path ("wsman:\localhost\listener\" + $httpsListener.Name)
}
}
function CreateWinRMHttpsFirewallRule() {
& netsh advfirewall firewall add rule name="WinRM HTTPS" dir=in action=allow protocol=TCP localport=5986
if ($LastExitCode) { throw "Failed to setup WinRM HTTPS firewall rules" }
}
$certFilePfx = "server_cert.p12"
$pfxPassword = "Passw0rd"
$osVer = [System.Environment]::OSVersion.Version
if ($osVer.Major -eq 6 -and $osVer.Minor -le 1) {
InstallVCRedist2008
}
InstallOpenSSL
GenerateSelfSignedCertificate $certFilePfx $pfxPassword
$certThumbprint = ImportCertificate $certFilePfx $pfxPassword
del $certFilePfx
RemoveExistingWinRMHttpsListener
New-Item -Path wsman:\localhost\listener -transport https -address * -CertificateThumbPrint $certThumbprint -Force
Set-Item wsman:\localhost\service\Auth\Basic -Value $true
# Increase the timeout for long running scripts
Set-Item wsman:\localhost\MaxTimeoutms -Value 1800000
CreateWinRMHttpsFirewallRule
#reg key for use by automation to verify this script has completed
if (-not (Test-Path HKLM:\SOFTWARE\cloudbase)) {New-Item -Path HKLM:\SOFTWARE\cloudbase}
Set-ItemProperty -Path HKLM:\SOFTWARE\cloudbase -Name WinRMAccess -Value 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment